OData (Open Data Protocol) services facilitate access to business functionality for disparate clients such as HTML5 applications or mobile clients. OAuth is the authorization concept for OData services. OAuth provides constrained access to services without requiring the client to pass or store a credential such as a user id/password. Rather, the client application uses an access token to access a constrained set of services from a service provider.
Conventional database applications running on a cloud-based database server may support the OAuth mechanism in two different ways. In one scenario, a browser-based client application uses a secret key to authenticate with a token/service provider, which in turn provides a token required to access a particular service. The client application then uses this token to directly call the token/service provider. This approach is not secure because the secret key and the token are stored in the browser application.
In another scenario, such as that depicted in FIG. 1, a portal server exposes a proxy for the token/service provider to the client/browser application. The browser application sends a resource request to the proxy, which authenticates with the token/service provider using a secret key stored on the server, and then requests the required token therefrom. After receiving the token, the proxy appends the token to the resource request and forwards the request to the token/service provider. The token is also used for subsequent resource requests received from the browser application. As illustrated, the browser application is not able to directly call the service provider or directly receive resources therefrom. This negatively impacts the performance of the application.